Cyber Incident Victim: Lansing Board of Water & Light
Date:
Apr 2016
Location:
United States of America
Summary
A ransomware infection impacted a water and lighting utility after an employee opened a malicious email attachment, encrypting files and spreading across the network. The attack forced the shutdown of internal systems, email services for approximately 250 staff, and a customer assistance phone line, though water and power delivery remained operational and no customer data was compromised. The utility's antivirus initially failed to detect the novel threat, prompting an upgrade to a solution capable of identifying it. While bill payments and other online services continued via the company website, the incident led to a temporary suspension of service shutoffs and was reported to law enforcement. This marked the organization's first ransomware encounter, having previously experienced only a brief website intrusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Lansing Board of Water & Light (BWL) experienced a ransomware incident on April 25, 2016, beginning at approximately 5:00 AM when an employee opened a malicious email attachment. This action triggered the infection, which encrypted files on the employee's computer before propagating to other systems within the utility's network. BWL's existing antivirus software failed to detect the ransomware, which officials characterized as a novel threat at the time. Subsequent investigation revealed only three antivirus products in the broader market could identify the malware, prompting BWL to upgrade to one of these solutions. The attack exhibited characteristics of typical crypto-ransomware, leading to immediate operational disruptions including the shutdown of the internal corporate network and email systems affecting approximately 250 employees. A customer assistance phone line used for account inquiries was also taken offline as a containment measure. Utility officials confirmed no customer data was encrypted during the incident but proactively suspended all power and water service disconnections as a precautionary measure.
Despite network disruptions, BWL maintained continuous water and electrical service delivery throughout the incident. The utility's primary website (lbwl.com) remained operational for bill payments, service turn-on requests, and general inquiries, while other phone lines and a separate physical service center continued functioning normally. BWL notified both local Lansing police and the FBI about the attack, marking the organization's first ransomware encounter, contrasting with a prior limited website compromise that lasted only hours. The utility did not disclose whether ransom demands were made or paid, nor did it identify the specific ransomware variant involved. Service restoration timelines for affected internal systems were not publicly detailed, though the implementation of upgraded antivirus protections indicated a key remediation step. Operational adjustments prioritized maintaining critical infrastructure while containing the malware's spread across administrative networks.